[jboss-jira] [JBoss JIRA] (WFLY-7842) Security-Realm Authorization over LDAP doesn't permit multiple Attribute names as filter.

Daniel Draper (JIRA) issues at jboss.org
Mon Jan 2 05:05:00 EST 2017 

Daniel Draper created WFLY-7842:
-----------------------------------

             Summary:  Security-Realm Authorization over LDAP doesn't permit multiple Attribute names as filter. 
                 Key: WFLY-7842
                 URL: https://issues.jboss.org/browse/WFLY-7842
             Project: WildFly
          Issue Type: Bug
         Environment: CentOS release 6.8 (Final)
JBoss Admin Command-line Interface
JBOSS_HOME: /opt/wildfly/10.1.0
JBoss AS release: 2.2.0.Final "Kenny"
JBoss AS product: WildFly Full 10.1.0.Final
JAVA_HOME: null
java.version: 1.8.0_40
java.vm.vendor: Oracle Corporation
java.vm.version: 25.40-b25
os.name: Linux
os.version: 4.6.3-1.el6.elrepo.x86_64

            Reporter: Daniel Draper
            Assignee: Jason Greene


When hooking up our Wildfly Application to our SSO (CAS) for authentication and delegating Authorization to a Security Realm and then using LDAP we ran into the following problem:

*Use Case*

We want to use authorization inside a Security-Realm through LDAP.

In our LDAP setup we have a Group-To-Principal matching of the form "_member=uid=x" OR "submember=uid=x_" depending on if the user was added manually or through an autodomain.

Unfortunately as far as we could tell using two attributes in the Polish Notation (as is required by [LDAP|https://ldapwiki.com/wiki/LDAP%20filters%20Syntax%20and%20Choices]) seems to be impossible for the wildfly configuration. We tried the following in the standalone-accounting.xml (in different iterations and ways to place the parenthesis) which all lead to an 'unbalanced Parenthesis' or similar error when starting up wildfly.

{code:xml}
<management>
        <security-realms>
            <security-realm name="bla">
                <authorization>
                    <ldap connection="ldap">
                        <username-to-dn>
                            <username-is-dn/>
                        </username-to-dn>
<group-search group-name="SIMPLE" iterative="false" group-dn-attribute="cn" group-name-attribute="cn">
                            <group-to-principal search-by="SIMPLE" base-dn="ou=roles,***" recursive="false">
                                <membership-filter principal-attribute="|(submember=uid={0})(member=uid={0})"/>
                            </group-to-principal>
                        </group-search>
                    </ldap>
                </authorization>
            </security-realm>
          </security-realms>
        </management>

{code}

We then found the filterString is parsed the following way: (See [LdapGroupSearcherFactory#L115|https://github.com/wildfly/wildfly-core/blob/master/domain-management/src/main/java/org/jboss/as/domain/management/security/LdapGroupSearcherFactory.java#L115])

{code:java}
this.filterString = String.format("(%s={0})", principalAttribute);
{code}

which seems to make multiple attribute names as a filter impossible, which makes our use case as above impossible.

Asked in [Forums|https://developer.jboss.org/thread/273435], but since I didn't get any answers for 3 weeks opening here.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list